Hybrid

Quick Reference Attack Requirement Impact MSOL Account DCSync Local admin on AAD Connect server Full domain + cloud compromise AZUREADSSOACC$ Abuse DCSync rights or DA Forge Azure AD tokens PHS Hash Extraction MSOL DCSync rights Cloud account takeover PTA Abuse On-prem DC compromise Transparent cloud auth bypass Golden SAML ADFS signing cert theft Persistent cloud access Azure AD Connect Abuse (MSOL Account) Azure AD Connect synchronizes on-premises Active Directory to Azure AD. During setup, it creates a service account named MSOL_xxxxxxxx in the on-premises domain. This account is granted DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on the domain root — the exact permissions required for DCSync. Its password is stored encrypted in a SQL LocalDB instance on the AAD Connect server. ...